Hi, I'm trying to get SAML working with Google Workspace. It is my first time venturing into the SAML space. Attempting to login with an account from my google workspace tenant results in an error:
403. That’s an error. Error: app_not_configured_for_user Service is not configured for this user. My guacamole.properties: extension-priority: *, saml#, openid saml-idp-metadata-url: file:///etc/guacamole/GoogleIDPMetadata.xml saml-idp-url: https://accounts.google.com/o/saml2/idp?idpid=C01oaaaaa saml-entity-id: https://accounts.google.com/o/saml2?idpid=C01oaaaaa saml-callback-url: https://guacamole.mautobu.com/ saml-debug: true My metadata.xml: <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID=" https://accounts.google.com/o/saml2?idpid=C01oaaaaa"; validUntil="2024-04-22T18:49:27.000Z"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate>REMOVED</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" https://accounts.google.com/o/saml2/idp?idpid=C01oaaaaa"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://accounts.google.com/o/saml2/idp?idpid=C01oaaaaa"/> </md:IDPSSODescriptor> </md:EntityDescriptor> I'm curious if it's got something to do with mappings or something. In Google I have last name mapped to username, Name ID format is EMAIL, and Name ID is set to primary email. I'm kind of in the weeds here. Any help is appreciated. -- *Justin Engwer* Mautobu Business Services 250-415-3709
